I turning logall and I see the next message in archive.log 2016 Oct 05 17:07:38 (porssng1a) 10.209.94.25->last 10 ossec: output: 'last 10': wtmp begins Fri Jul 11 15:58
-----Mensaje original----- De: [email protected] [mailto:[email protected]] En nombre de dan (ddp) Enviado el: miércoles, 05 de octubre de 2016 12:58 p.m. Para: [email protected] Asunto: Re: [ossec-list] last -10 On Wed, Oct 5, 2016 at 11:44 AM, Adiel Navarro <[email protected]> wrote: > If I understand, when I turning logall option, all the logs of all the > commands configured in the agents send yours outputs to the server, right? > > How can this affect the performance on the ossec server? > > Just I need the last command output. > > I don't understand the question. The logall option will log all messages being sent to the server from the agents. This information is logged in archives.log. You can use archives.log to see how the messages actually look from the agent. Using that log sample, it'll be a lot easier to write a rule that correctly matches. > > > > -----Mensaje original----- > De: [email protected] [mailto:[email protected]] > En nombre de dan (ddp) Enviado el: miércoles, 05 de octubre de 2016 10:01 a.m. > Para: [email protected] > Asunto: Re: [ossec-list] last -10 > > On Wed, Oct 5, 2016 at 10:59 AM, Adiel Navarro > <[email protected]> wrote: >> Sure, I restarted the services on the ossec server. >> >> How can I turning log_all option? >> >> Do you have any example? >> > > Sorry, it's "logall" not "log_all." > https://ossec.github.io/docs/syntax/head_ossec_config.global.html?high > light=logall#element-logall > >> Actually, I see that in var/ossec/logs/archives/archives.log on the server... >> >> drwxr-x--- 8 ossec ossec 4096 Oct 1 00:00 2016 >> -rw-r----- 2 ossec ossec 0 Oct 5 00:00 archives.log >> >> >> >> >> -----Mensaje original----- >> De: [email protected] [mailto:[email protected]] >> En nombre de dan (ddp) Enviado el: miércoles, 05 de octubre de 2016 09:40 >> a.m. >> Para: [email protected] >> Asunto: Re: [ossec-list] last -10 >> >> On Wed, Oct 5, 2016 at 10:37 AM, Adiel Navarro >> <[email protected]> wrote: >>> No, the rule is not commented. >>> Meanwhile, I delete the --> sign... >>> >> >> Did you restart the OSSEC processes on the server? >> You can try turning the log_all option on and check the archives.log to make >> sure your match will actually match the log messages sent over. I usually >> use aliases to make this easier. >> Also, make sure the output changes. If there are no changes, there will be >> no alert. >> >>> >>> >>> -----Mensaje original----- >>> De: [email protected] [mailto:[email protected]] >>> En nombre de dan (ddp) Enviado el: miércoles, 05 de octubre de 2016 09:25 >>> a.m. >>> Para: [email protected] >>> Asunto: Re: [ossec-list] last -10 >>> >>> On Wed, Oct 5, 2016 at 10:15 AM, Adiel Navarro >>> <[email protected]> wrote: >>>> Sure, >>>> I configured the next rule in local_rules.xml on the ossec server: >>>> >>>> <rule id="140126" level="7"> >>>> <if_sid>530</if_sid> >>>> <match>ossec: output: 'last -10 </match> >>>> <check_diff /> >>>> <description>Last connections. </description> </rule> --> >>>> >>> >>> The "-->" marks the end of a comment. Could you possibly have the rule >>> currently commented out? >>> >>>> >>>> L.I. Adiel Jesús Navarro Rosado >>>> Analista OyM Seguridad Operativa >>>> A: [email protected] >>>> '. Ext. 5179 >>>> È: 5510101509 >>>> >>>> >>>> -----Mensaje original----- >>>> De: [email protected] >>>> [mailto:[email protected]] >>>> En nombre de dan (ddp) Enviado el: miércoles, 05 de octubre de 2016 06:22 >>>> a.m. >>>> Para: [email protected] >>>> Asunto: Re: [ossec-list] last -10 >>>> >>>> On Tue, Oct 4, 2016 at 6:21 PM, Aj Navarro <[email protected]> wrote: >>>>> i want to monitoring the last connections on a server. >>>>> >>>>> I configuring last -10 command on a ossec.conf client >>>>> >>>>> <localfile> >>>>> <log_format>full_command</log_format> >>>>> <command>last 10</command> >>>>> <frequency>60</frequency> >>>>> </localfile> >>>>> I need that the output of this command will send to the ossec >>>>> server, but I not watching any alert on the ossec wui. >>>>> >>>>> can i need to configure anything else on the client or on the ossec >>>>> server? >>>>> >>>>> >>>> >>>> Did you create a rule to look for the information coming from the command? >>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, >>>>> send an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
